Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
Implemen'ng IPv6 on z/OS How hard can it be?
GSE 2012 UK Conference Session FB
Tony Amies [email protected]
Why Implement IPv6 on z/OS anyway?
• WDS customer poll in 2011 – Predominantly USA and Europe
– Some farther afield
• Response was under-‐whelming – Did not respond – We have no plans
– Don’t know
2
More recently • Introduc'on of z196 & z114
– IPv6 mandatory for intra node management network (INMN) • US Government Direc'ves
– IPv6 support mandate • Exhaus'on of IPv4 address pool
– Its now happened and has been more widely publicized – S'll of limited concern to most z/OS systems
• New applica'ons – Use of push technologies
• New Data centres – Using IPv4 would be a backward step. – And you may not get any IPv4 addresses anyway.
3
Implemen'ng IPv6 on z/OS is easy
• Update BPXPRMxx – ‘setomvs reset’ dynamically ac'vates – But will give you error messages
• Update TCPIP Profile – Add IPv6 INTERFACE(s) – Add IPv6 Routes
NETWORK DOMAINNAME(AF_INET6) DOMAINNUMBER(19) MAXSOCKETS(30000) TYPE(INET) INADDRANYPORT(5555) INADDRANYCOUNT(1000)
… INTERFACE LNKOSA4A
DEFINE IPAQENET6 PORTNAME OSA408 IPADDR fda5:3ad7:3471:5:0:0:0:40
START LNKOSA4A … BEGINROUTES … ROUTE fda5:3ad7:3471:5/64 = LNKOSA4A MTU 1500 ROUTE DEFAULT6 fda5:3ad7:3471:5:0:0:0:1 LNKOSA4A MTU 1500 ENDROUTES
Job done, 'me for lunch?
4
Mandatory changes to TCPIP Profile
• Must use INTERFACE instead of DEVICE/LINK, HOME – For new IPv6 only interfaces – For exis'ng interfaces that will support IPv4 and IPv6 – But should really be used for all interfaces
• Performance Improvements – Workload queues can be defined – Reduc'on of ARP for some VIPAs when subnet mask defined – OSA Op'mized Latency mode
• VLANs can be defined • Befer MTU Size management • ‘D OSAINFO’ command only works with INTERFACE
• Must use BeginRoutes/EndRoutes instead of GATEWAY – Cannot co-‐exist with GATEWAY statement – IPv4 rou'ng must be re-‐defined if you s'll use GATEWAY
• New IPCONFIG6 parameter – Check available op'ons .. Most defaults are generally OK.
5
Do you need new OSA ports for IPv6? INTERFACE LNKOSA48
DEFINE IPAQENET PORTNAME OSA408 IPADDR 192.168.5.40
START LNKOSA48 INTERFACE LNKOSA4A
DEFINE IPAQENET6 PORTNAME OSA408 IPADDR fda5:3ad7:3471:5:0:0:0:40
START LNKOSA4A
• Not necessarily – Use mul'ple INTERFACE
statements with same PORTNAME
• VTAMLST TRL Member – Must define both datapaths
VBUILD TYPE=TRL TRL408 TRLE LNCTL=MPC, MPCLEVEL=QDIO, READ=0408, WRITE=0409, DATAPATH=(040A,040B), PORTNAME=(OSA408,0)
6
And finally …
• You must recycle TCPIP to enable IPv6 – A"er the BPXPRMxx update to add AF_INET6 – ‘setomvs reset’ error messages confirm this BPXF202I message : Reason Code 743A7312
7
So …
What could possibly go wrong?
• You must update BPXPRMxx in PARMLIB • You must add new defini'ons to your TCPIP profile • You may have to re-‐write some or all of your exis'ng LINK/
DEVICE defini'ons • You may have to re-‐write and replace all of your rou'ng
defini'ons. • And at some point during this process (hopefully earlier rather
than later) you must restart TCPIP.
8
What about those IPv6 Addresses?
• Allows for (prac'cally) an unlimited number of unique addresses • Movable Prefix/Subnet boundary • 2000::/3 is prefix for assigned globally unique addresses
– Must be used to connect to the outside world. – Prefix typically 48 bits (but doesn’t have to be) and is public – Subnet (typically 16 bits) for internal network rou'ng
• Other address ranges are reserved – ::/128 Any/unspecified address (Applica'ons Listen on these) – ::1/128 IPv6 Loopback (Communica'on inside the LPAR) – FF00::/8 Mul'cast (You can see a lot of these on a trace!). – FE80::/10 Link Local addresses (Cannot be routed) – FC00::/7 Local Unicast Address (Should not be routed outside site) – ::FFFF/96 IPv4 mapped address (When IPv4 boxes talk to IPv6 boxes*) – Others …
Network Prefix Subnet Interface ID
64 bits 64 bits
9
Do you have an assigned Global Network Prefix?
• No? – you will need one if you want to communicate with the outside world.
• Yes? Congratula'ons! – But, do you really want to use it? – Are all your IPv4 addresses in z/OS public internet addressable?
• Most use a site local address such as 192.168.* or 10.* • Your z/OS IP addresses are hidden from the outside world • If internet facing, will generally use Network Address Transla'on
• So what IPv6 address should you use? – The IPv6 Site Local prefix was deprecated – Replaced by Unique Unicast prefix (FC00::/7)
• Should not be routed outside your site – which is good • But what if you do need internet access to/from z/OS? • NAT is not really supported for IPv6?
10
IPv6 INTERFACEs
• Will have mul'ple IP addresses – One or more Global/Local Unicast addresses you define – An automa'cally generated Site Local address (FE80::/10) – Possibly an IPv4 address
• Using a GLOBAL Unicast address (2000::/3) – Network prefix must be officially assigned to you
• Using a Local Unicast address (FC00::/7) – You could guess one (and hope for the best) – Or use address generator sites such as: hfp://bitace.com/ipv6calc
11
And finally …
• Once you’ve decided on the network prefix(s) to use – How do you decide the 64 bit interface ID? – Required for INTERFACES and VIPAs – Must be unique (of course)
• Tempted to simply use the current IPv4 address? – 192.168.1.40 -‐-‐-‐> fda5:3ad7:3471:1:192:168:1:40? – Possible, but can get EZZ0726I “CANNOT BE SPECIFIED” seemingly at random
• Bits 71 and 72 are reserved in IPv6 addresses (71:Universal/Local, 72:Individual/Group) • Using 192 just happens to flip bit 71 on!
• Tempted to simply guess one? – There are zillions (give or take) to choose from, what are the chances of a
duplicate? • Befer to have an IPv6 addressing strategy from the kick-‐off.
– Needs to be in place before you start with z/OS – Wai'ng for this can seriously damage your project schedule
12
So …
• With IPv4 we didn’t have enough IP addresses • With IPv6 we seem to have too many
– Have to decide on whether to use Local/Global addresses • Not just for z/OS • And how many to use per INTERFACE • And do we share the OSA port with IPv4
– Have to decide on an IPv6 addressing strategy • Not just for z/OS • Everybody has to agree and adhere to it
What could possibly go wrong?
13
Mul'ple TCPIP Stacks
• z/OS Communica'ons Server is a dual mode stack – One TCPIP simultaneously supports IPv4 and IPv6
• Mul'ple Stacks can provide a more isolated/safer environment – Reduces stress during major surgery on your TCPIP profile – Reduces travel costs
• You are much less likely to have to visit your site with local SNA worksta'ons when TCPIP won’t start.
– Enabled by defining Common INET (CINET) in BPXPRMxx
• But – You will need OSA port(s) for the 2nd (or nth) TCPIP stack – All TCPIP stacks will be IPv6 enabled
FILESYSTYPE TYPE(CINET) ENTRYPOINT(BPXTCINT)
SUBFILESYSTYPE NAME(TCPIP)
TYPE(CINET) ENTRYPOINT(EZBPFINI) DEFAULT
SUBFILESYSTYPE NAME(TCPIP2)
TYPE(CINET) ENTRYPOINT(EZBPFINI)
NETWORK DOMAINNAME(AF_INET)
DOMAINNUMBER(2) MAXSOCKETS(30000) TYPE(CINET) INADDRANYPORT(5555) INADDRANYCOUNT(1000)
NETWORK DOMAINNAME(AF_INET6)
DOMAINNUMBER(19) MAXSOCKETS(30000) TYPE(CINET) INADDRANYPORT(5555) INADDRANYCOUNT(1000)
14
You DO NOT need to run mul'ple TCPIP stacks to support IPv4 & IPv6
Applica'on Support • Applica'ons MUST be changed to support IPv6
– IPv6 sockets code is different to IPv4 sockets code – IPv6 clients CANNOT connect to exis'ng IPv4 servers – IPv4 clients can (some'mes*) connect to IPv6 enabled servers
• IPv4 address converted to a IPv6 mapped address (::FFFF/96)
• IBM Supplied Applica'ons – Majority support IPv6 – Many do so without addi'onal configura'on (TN3270, FTP ..)
• Do you use Exit rou'nes? … parameter lists oyen contain IP addresses. • Do you use SMF records and repor'ng? • Do you use NMI calls?. Implementa'on of IPv4 / IPv6 addresses is not consistent across NMI.
• Do all the applica'ons you use support IPv6? – From IBM? – From other vendors? – Home grown applica'ons/u'li'es?
• How do you know? – If you don’t have a state-‐of-‐the-‐art IP monitor use netstat – IPv6 must be enabled and TCPIP re-‐cycled
* Applica;ons that bind to a specific IP address ;e themselves to that address/protocol and cannot support IPv4 and IPv6 without using mul;ple ports.
15
Applica'on Support for IPv6 : Sample onetstat output
INETD4 0000003D Listen Local Socket: 0.0.0.0..1023 Foreign Socket: 0.0.0.0 ..0 SSHD4 0000001F Listen Local Socket: ::..22 (IPV6_ONLY) Foreign Socket: ::..0 TN3270 0000001B Listen Local Socket: ::..23 Foreign Socket: ::..0 RYO1 000004E2 Listen Local Socket: 192.168.5.40..2777 Foreign Socket: 0.0.0.0..0 RYO2 000004E0 Listen Local Socket: fda5:3ad7:3471:5::40..6777 Foreign Socket: ::..0
IPv4 Only : No IPv6 (::) address
IPv6 Only : because it says so!
IPv4 and IPv6 : IPv6 (::) “ANY” address
IPv4 Only : No IPv6 (::) address
IPv6 Only : BIND to a specific IPv6 address
16
Adding IPv6 support to an applica'on
• Applica'on must first detect whether IPv6 is enabled – No specific API call for this – Most applica'ons afempt to open an IPv6 socket and handle the error!.
• Change socket alloca'on – Allocate AF_INET6 sockets instead of AF_INET sockets.
• Use IPv6 socket address structures (much larger than IPv4) – Bind, Connect, Sendto, Recvfrom … – What if sockaddr_in6 structure is embedded inside a larger structure?
• Use getaddrinfo(); to build IPv6 address structures. – From DNS lookup or IP address
• General administra'on of IPv6 addresses – Entered in configura'on files, displayed in audit logs – Used for security/user iden'fica'on – Space an issue, especially on 3270.
17
And finally ….
• Just when you were thinking that mul'ple TCPIP stacks may be worth considering ….
– Applica'ons must have stack affinity – An applica'on may be IPv4 and IPv6 capable
• But over mul'ple TCPIP stacks? – May need to have two copies of all your applica'ons
• Licensing? • Cost? • Data sharing?
What could possibly go wrong?
18
DNS/Names file for IPv6
• DNS is key for IPv6 – Its hard to remember IPv6 addresses
• What name to use for an IPv6 address? – Befer to use a unique name instead of IPv4 name – Prevents callers having to handle an IPv6 address they were not expec'ng!.
• Befer to use IPNODES file on z/OS – Referenced in Global resolver configura'on – Allows both IPv4 and IPv6 names to be defined in one file – Good for tes'ng if your external DNS is not IPv6 ready
19
IPv6 Tes'ng
• How will you test connec'vity/compliance? – Your worksta'on/laptop needs a routable IPv6 address – Local IPv6 network infrastructure must be in place
• Rou'ng • DHCPv6/Automa'c configura'on
• Your PC applica'ons must be IPv6 capable – Mainline ones tend to be (Browser, FTP etc.)
– Your 3270 client? Others? – And just how do you enter an IPv6 address in a browser?
20
http://[fda5:3ad7:3471:5::40]:6709/
IPv6 Tes'ng : Management and Monitoring
• Netstat output changes once IPv6 is enabled (long format) – Some NM products rely on netstat screen scraping – Home grown Rexx u'li'es can be impacted
• NM Products – Need to have IPv6 support for Monitoring, Tracing – Essen'al for tes'ng and IPv6 problem diagnosis – Useful to support ICMPv6 – Need to cope with a OSA Port having mul'ple IP addresses
• IPv4 and IPv6 • Mul'ple IPv6
21
Applica'on Layer Gateways
22
• Referenced in most IPv6 presenta'ons
• Men'oned in z/OS CS IPv6 Applica'ons and Design Guide
• Oyen discussed alongside NAT-‐PT, NAT, DNS
• Typically posi'oned out in the network somewhere
• But can they help?
Applica'on Layer Gateways
• Can reside anywhere in network (including z/OS) • Main Purpose – To enable IPv6 clients to access IPv4 applica'ons. – Addresses one of the limita'ons covered earlier.
• But have other poten'al uses … – Can enable IPv4 clients to access IPv6 applica'ons (tes'ng) – Can provide a type of NAT capability (security) – Can provide 6-‐to-‐4 or 4-‐to-‐6 tunnels (tes'ng) – Can facilitate mul'ple TCPIP stacks (configura'on, tes'ng)
23
Distributed Applica'on Layer Gateway
• IPv4 client can access IPv6 only applica'on – May help with tes'ng
• IPv6 client can access IPv4 only applica'on – May reduce need to upgrade
applica'ons
• Pseudo NAT capability – ALG has global address – z/OS has FC00::/7 address
• Considera'ons – How many ALGs? – Can they handle the
capacity?
z/OS
IPv4 Applica'on
IPv6 Applica'on
ALG IPv6 to IPv4
IPv4 Client IPv6 Client
ALG IPv4 to IPv6
TCPIP with IPv4 and IPv6 Interfaces
24
25
z/OS based Applica'on Layer Gateway
z/OS
IPv4 Applica'on
IPv6 Applica'on
IPv4 Client IPv6 Client
ALG TCPIP TCPIP2
• Same benefits as distributed • Permits mul'ple TCPIP stacks
– ALG bridges the two stacks – Isolates IPv6 Configura'on
• Pseudo NAT – Applica'on could also have a link
local address
• Capacity less of an issue
26
Very brief demo, 'me, technology and security permi{ng
• z/OS Based IPv6 Applica'on (HTTP Server)
• Laptop connected to Hotel Wi-‐Fi (not surprisingly, IPv4 only) • ALG running on z/OS – maps incoming IPv4 to IPv6
Internet Hotel Wi-‐Fi
Office LAN
IPv6 HTTP Server
ALG IPv4
Summary
• Enablement of IPv6 on z/OS is easy • Implementa'on of IPv6 on z/OS appears to be easy
– But may require considerable profile changes – Using mul'ple stacks can both help and hinder – Deciding which IPv6 address(es) to use can take 'me – All your applica'ons may not be IPv6 compliant – Tes'ng requires IPv6 infrastructure off z/OS to be in place – Diagnos'c and management tools with IPv6 support are needed
• Applica'on Layer Gateways – Possible short/medium term solu'on to many of the issues – Especially if the ALG is on z/OS
27
Thank You Ques'ons?
28